Cyber Incident Victim: Celsius Network
Date:
Nov 2020
Location:
United States of America
Summary
A social engineering attack targeting GoDaddy employees enabled unauthorized domain transfers for multiple cryptocurrency platforms, including Celsius.network. Attackers manipulated DNS records to redirect email and web traffic, compromising internal email accounts and partially accessing infrastructure. The incident involved fraudulent control over domain settings, allowing attempts to reset passwords on third-party services like Slack and GitHub. GoDaddy identified the breach through routine audits, locked affected accounts, and reverted unauthorized changes. Similar attacks leveraged voice phishing to exploit remote work conditions, with perpetrators gathering employee information from public sources to facilitate credential theft.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The incident involving Celsius.network occurred as part of a broader campaign targeting multiple cryptocurrency platforms through compromised GoDaddy domain management accounts between November 13-18, 2020. Attackers executed social engineering schemes against GoDaddy employees, tricking them into transferring control of customer domains. This enabled unauthorized DNS record modifications that redirected email and web traffic for affected services. The campaign initially impacted Liquid.com on November 13, where attackers gained control of internal email accounts and partially compromised infrastructure through redirected domain settings. On November 18, NiceHash detected similar unauthorized DNS changes that briefly redirected their traffic, prompting temporary freezing of customer funds while investigating potential third-party service compromises via email access.
KrebsOnSecurity's analysis revealed Celsius.network as one of several cryptocurrency platforms whose GoDaddy-managed domains showed DNS alterations redirecting email to privateemail.com during the attack window, though Celsius did not publicly confirm details. GoDaddy acknowledged a "small number" of customer domains were compromised after employees fell for social engineering, locking affected accounts and reverting unauthorized changes. The attackers employed tactics consistent with previous 2020 GoDaddy breaches, including voice phishing (vishing) scams where fraudsters posed as IT staff to harvest employee credentials. This incident followed March 2020 attacks where GoDaddy employee social engineering enabled domain hijacking of Escrow.com and an October 2019 hosting breach affecting 28,000 accounts discovered months later. While Celsius.network's specific operational impacts remained unconfirmed, the pattern suggested attackers sought email control to facilitate password resets and infrastructure access across cryptocurrency targets. GoDaddy attributed the attack vector to increasingly sophisticated social engineering tactics exploiting remote work conditions during the COVID-19 pandemic.